| Message ID | 20180813203153.562-1-keith.busch@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [ndctl] ndctl: Work around kernel memory corruption | expand |
On 08/13/2018 01:31 PM, Keith Busch wrote: > Kernel commit efda1b5d87cb ("acpi, nfit, libnvdimm: fix / harden > ars_status output length handling") contained an incorrect ars status > output size calculation and may overrun the buffer provided by 4 > bytes. This patch adds 4 bytes to the buffer the user space allocates > so that the kernel's overrun doesn't corrupt the application's heap. > > See kernel patch for more details: > > https://patchwork.kernel.org/patch/10563103/ > > Signed-off-by: Keith Busch <keith.busch@intel.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> > --- > ndctl/lib/ars.c | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/ndctl/lib/ars.c b/ndctl/lib/ars.c > index c78e3bf..bd75131 100644 > --- a/ndctl/lib/ars.c > +++ b/ndctl/lib/ars.c > @@ -133,7 +133,16 @@ NDCTL_EXPORT struct ndctl_cmd *ndctl_bus_cmd_new_ars_status(struct ndctl_cmd *ar > } > > size = sizeof(*cmd) + ars_cap_cmd->max_ars_out; > - cmd = calloc(1, size); > + > + /* > + * Older kernels have a bug that miscalculates the output length of the > + * ars status and will overrun the provided buffer by 4 bytes, > + * corrupting the memory. Add an additional 4 bytes in the allocation > + * size to prevent that corruption. See kernel patch for more details: > + * > + * https://patchwork.kernel.org/patch/10563103/ > + */ > + cmd = calloc(1, size + 4); > if (!cmd) > return NULL; > >
diff --git a/ndctl/lib/ars.c b/ndctl/lib/ars.c index c78e3bf..bd75131 100644 --- a/ndctl/lib/ars.c +++ b/ndctl/lib/ars.c @@ -133,7 +133,16 @@ NDCTL_EXPORT struct ndctl_cmd *ndctl_bus_cmd_new_ars_status(struct ndctl_cmd *ar } size = sizeof(*cmd) + ars_cap_cmd->max_ars_out; - cmd = calloc(1, size); + + /* + * Older kernels have a bug that miscalculates the output length of the + * ars status and will overrun the provided buffer by 4 bytes, + * corrupting the memory. Add an additional 4 bytes in the allocation + * size to prevent that corruption. See kernel patch for more details: + * + * https://patchwork.kernel.org/patch/10563103/ + */ + cmd = calloc(1, size + 4); if (!cmd) return NULL;
Kernel commit efda1b5d87cb ("acpi, nfit, libnvdimm: fix / harden ars_status output length handling") contained an incorrect ars status output size calculation and may overrun the buffer provided by 4 bytes. This patch adds 4 bytes to the buffer the user space allocates so that the kernel's overrun doesn't corrupt the application's heap. See kernel patch for more details: https://patchwork.kernel.org/patch/10563103/ Signed-off-by: Keith Busch <keith.busch@intel.com> --- ndctl/lib/ars.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)